Windows Analysis Report
m6tly2Aqw4.exe

Overview

General Information

Sample name: m6tly2Aqw4.exe
renamed because original name is a hash value
Original sample name: 0f54220218afb5d0ea00fb8033509c773e3e8b3d.exe
Analysis ID: 1546803
MD5: 51d4e15fa77cf644ee90f42269bced3b
SHA1: 0f54220218afb5d0ea00fb8033509c773e3e8b3d
SHA256: cc05a4b105428e0c1bd13525c5cab229e67a9eb9ec77b92b158fe6fe419929f6
Tags: exeReversingLabsuser-NDA0E
Infos:

Detection

FloodFix
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FloodFix
AI detected suspicious sample
Allows loading of unsigned dll using appinit_dll
Creates an undocumented autostart registry key
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Sigma detected: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: m6tly2Aqw4.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Avira: detection malicious, Label: TR/Floxif.BB
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll ReversingLabs: Detection: 100%
Multi AV Scanner detection for submitted file
Source: m6tly2Aqw4.exe ReversingLabs: Detection: 92%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Program Files\Common Files\System\symsrv.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: m6tly2Aqw4.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: m6tly2Aqw4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior

Spreading
barindex
Yara detected FloodFix
Source: Yara match File source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5isohu.com/
Source: m6tly2Aqw4.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: m6tly2Aqw4.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: m6tly2Aqw4.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aieov.com/
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.aieov.com/#

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: Detects Floxif Malware Author: Florian Roth
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: Detects FloodFix Author: ditekSHen
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects Floxif Malware Author: Florian Roth
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: Detects FloodFix Author: ditekSHen
PE file has nameless sections
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Program Files\Common Files\System\symsrv.dll DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: String function: 006E8EEC appears 77 times
Sample file is different than original file name gathered from version info
Source: m6tly2Aqw4.exe, 00000000.00000003.2074705008.00000000015A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: originalfilename cintanotes.exe 6 vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2122138799.00000000006AF000.00000080.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamecintanotes.exe6 vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2124690859.000000001002F000.00000004.00000001.01000000.00000004.sdmp Binary or memory string: OriginalFilenameLanguagePack vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe, 00000000.00000003.2074648577.0000000003AC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLanguagePack vs m6tly2Aqw4.exe
Source: m6tly2Aqw4.exe Binary or memory string: OriginalFilenamecintanotes.exe6 vs m6tly2Aqw4.exe
Uses 32bit PE files
Source: m6tly2Aqw4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.m6tly2Aqw4.exe.10000000.3.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MAL_Floxif_Generic date = 2018-05-11, author = Florian Roth, description = Detects Floxif Malware, score = de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Program Files\Common Files\System\symsrv.dll, type: DROPPED Matched rule: MALWARE_Win_FloodFix author = ditekSHen, description = Detects FloodFix
Source: m6tly2Aqw4.exe Static PE information: Section: ZLIB complexity 1.0001057103737114
Source: m6tly2Aqw4.exe Static PE information: Section: ZLIB complexity 0.9927026098901099
Source: classification engine Classification label: mal100.troj.evad.winEXE@1/1@0/0
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: m6tly2Aqw4.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe File read: C:\Users\user\Desktop\m6tly2Aqw4.exe Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: ws2help.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Directory created: C:\Program Files\Common Files\System\symsrv.dll Jump to behavior
Source: m6tly2Aqw4.exe Static PE information: More than 223 > 100 exports found
Source: m6tly2Aqw4.exe Static file information: File size 4594535 > 1048576
Source: m6tly2Aqw4.exe Static PE information: Raw size of is bigger than: 0x100000 < 0x1a9200
Source: m6tly2Aqw4.exe Static PE information: Raw size of .textTh is bigger than: 0x100000 < 0x1fca00
PE file contains an invalid checksum
Source: symsrv.dll.0.dr Static PE information: real checksum: 0x0 should be: 0x1f436
Source: m6tly2Aqw4.exe Static PE information: real checksum: 0x457c41 should be: 0x4658e3
PE file contains sections with non-standard names
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name:
Source: m6tly2Aqw4.exe Static PE information: section name: .textTh
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FF020 push ecx; mov dword ptr [esp], edx 0_2_006FF022
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EC0AC push 006EC1C8h; ret 0_2_006EC1C0
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FE0A4 push ecx; mov dword ptr [esp], ecx 0_2_006FE0A9
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006F3168 push ecx; mov dword ptr [esp], edx 0_2_006F316D
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EB148 push 006EB199h; ret 0_2_006EB191
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FB1F8 push 006FB258h; ret 0_2_006FB250
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FB2AE push 006FB3C4h; ret 0_2_006FB3BC
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FC349 push esp; ret 0_2_006FC351
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EB43C push 006EB468h; ret 0_2_006EB460
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EB402 push 006EB430h; ret 0_2_006EB428
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_0070369F push 007036E3h; ret 0_2_007036DB
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_007038D4 push 00703900h; ret 0_2_007038F8
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_00703890 push 007038BCh; ret 0_2_007038B4
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_0070292C push ecx; mov dword ptr [esp], edx 0_2_00702931
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FC9FA push esp; retf 006Fh 0_2_006FCA09
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FCA28 push esp; retf 006Fh 0_2_006FCA29
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006F3A0A push 006F3A7Bh; ret 0_2_006F3A73
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FBB60 push 006FBBADh; ret 0_2_006FBBA5
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006ECB34 pushad ; retf 0_2_006ECB35
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FCB1C push ecx; mov dword ptr [esp], edx 0_2_006FCB21
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_00701B04 push ecx; mov dword ptr [esp], edx 0_2_00701B06
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EBBD4 push 006EBC00h; ret 0_2_006EBBF8
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006F3B8E push 006F3BBCh; ret 0_2_006F3BB4
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_00702C56 push 00702D03h; ret 0_2_00702CFB
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EBC54 push 006EBC80h; ret 0_2_006EBC78
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EBC1A push 006EBC48h; ret 0_2_006EBC40
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FACBE push 006FAD3Dh; ret 0_2_006FAD35
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006E7CB0 push eax; ret 0_2_006E7CEC
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006EBD5D push 006EBD88h; ret 0_2_006EBD80
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_00702D08 push 00702D98h; ret 0_2_00702D90
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Code function: 0_2_006FCD10 push ecx; mov dword ptr [esp], edx 0_2_006FCD15
Source: m6tly2Aqw4.exe Static PE information: section name: entropy: 7.999484842813451
Source: m6tly2Aqw4.exe Static PE information: section name: entropy: 7.986548844569612
Source: m6tly2Aqw4.exe Static PE information: section name: entropy: 7.965397455300278
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Drops PE files
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe File created: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file

Boot Survival
barindex
Allows loading of unsigned dll using appinit_dll
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Registry value created: RequireSignedAppInit_DLLs 0 Jump to behavior
Creates an undocumented autostart registry key
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows LoadAppInit_DLLs Jump to behavior
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Dropped PE file which has not been started: C:\Program Files\Common Files\System\symsrv.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe TID: 2716 Thread sleep count: 289 > 30 Jump to behavior
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.00000000006E5000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VBoxService.exe
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ~VirtualMachineTypes
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.00000000006E5000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: VMWare
Source: m6tly2Aqw4.exe, 00000000.00000002.2122169113.000000000078E000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Thread information set: HideFromDebugger Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\m6tly2Aqw4.exe Process token adjusted: Debug Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546803 Sample: m6tly2Aqw4.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 11 Malicious sample detected (through community Yara rule) 2->11 13 Antivirus detection for dropped file 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 7 other signatures 2->17 5 m6tly2Aqw4.exe 1 1 2->5         started        process3 file4 9 C:\Program Files\Common Files\...\symsrv.dll, PE32 5->9 dropped 19 Creates an undocumented autostart registry key 5->19 21 Hides threads from debuggers 5->21 23 Allows loading of unsigned dll using appinit_dll 5->23 signatures5
No contacted IP infos